Privacy, Security and Occupy Central

Phones at Occupy Central

There’s something pretty amazing happening in Hong Kong right now. The Occupy Central protest, originally scheduled to begin today, got an early start over the weekend. Entire neighbourhoods have effectively been shut down by thousands of protesters seeking universal suffrage, in the former British colony that was handed back to China in 1997.

I’ve somewhat of a vested interest in all of this, as my girlfriend was born in Hong Kong and we visit there every winter. From a privacy and security standpoint, however, there are important aspects of the protest for every mobile user to consider.

Leave It at Home

The unfortunate truth about mobile phones is that their location can be easily tracked using whichever cell phone tower(s) they happen to be connected to at any particular moment. In other words, if the police want to identify you as a protester they need only to tie you to the place and time of a protest. What happens next can be as benign as the unsolicited text messages observed in the Ukraine, or considerably more invasive—like the IMSI catchers used by police forces around the world.

Here’s a tip for those taking part in Occupy Central from a Kiev protester, via reddit:

The easiest to follow and practical advice I could think of is to not have your phone with you. Getting beat up or smelling some tear gas is nothing compared to being arrested and spending part of your life in jail. If police catches you – your phone will be used against you because they can track where and when you were. Actually if you have been protesting with a phone it’s likely your name is already on some secret list of suspicious individuals.

The Humble Hotspot

I’m a big fan of the personal hotspot. Law enforcement? Not so much. Incredulous as it may seem, hotspots were banned from the 2012 London Olympics. The official line was that they interfered with other wireless communication necessary for the games, like microphones and cameras. But I think there’s a better reason: unlike a cellular tower, a hotspot obfuscates the exact location of users connected to it. You can triangulate the almost-exact position of a mobile phone using the towers its connected to. You can do the same for a hotspot, but not the devices it’s broadcasting to. Pretty big difference there.

I would think that a mesh network of connected hotspots would be a fairly effective tool against surveillance. But the Occupy protesters in Hong Kong are already using a mesh network of sorts.

FireChat

I’ve written about FireChat before. The Android and iOS mesh-messaging app got its trial run as a tool for protest during the Sunflower Student Movement in Taiwan. Now, with credible evidence of police blocking mobile networks in Hong Kong, FireChat is enjoying another moment in the spotlight with Occupy Central.

However, as security researcher Frederic Jacobs reports, FireChat is not without its limitations:

  • Because of how Multipeer Connectivity works, you need to be close to a member of the mesh to be able to connect to it (30 to 100 feet).
  • The application has no encryption meaning that no discussion is really private
  • Messages are not checked for integrity, meaning that impersonation can happen.
  • MAC addresses can be sniffed by local law enforcement making it easy to track who has been using the application

I guess all this is really only to say that the protesters in Hong Kong are putting themselves at an incredible risk—both physically and via the devices in their pockets. Given China’s history of dealing with such matters I can only hope this ends well for everyone involved.

2 thoughts on “Privacy, Security and Occupy Central”

  1. Wifi is not secure, I had my banking information stolen when i was in starbucks one day. Since then I’ve been using arcvpn to secure all my connections.

  2. Wifi is not secure, I had my banking information stolen when i was in starbucks one day. Since then I’ve been using arcvpn to secure all my connections.

Leave a Reply

Your email address will not be published. Required fields are marked *